News

Resources

Bitdefender, a leading global cybersecurity company protecting over 500 million users worldwide, continues to innovate with the introduction of “Detection of Cyberbullying and Online Predators” features included in Parental Control... Read More

BUCHAREST, Romania/SANTA CLARA, Calif, September 17, 2018 – a leading global cybersecurity company protecting over 500 million users across 150 countries, announced today that CRN®, a brand of The Channel... Read More

The Cryptolocker ransomware gets installed by a Zbot variant and upon being run it immediately adds itself to Startup under a random name and tries to talk to a command and control server – sending a 192 byte encrypted packet of the form

where {GROUP_NAME} seems to be related to the time of compilation of the malware and an example for {LOCATION_ID} is “en-US”

If successful, it receives from the server a (presumably freshly-generated) public key and a corresponding Bitcoin address. These are added to the registry in registry keys of the form

HKEY_CURRENT_USER\Software\Cryptolocker_NUMBER\

which contain the values PublicKey, VersionInfo, Wallpaper – PublicKey stores the public key, VersionInfo stores the Bitcoin address and the command and control server address in an encrypted form, while Wallpaper stores the path to an actual wallpaper, containing instructions for the victim:

This done, Cryptolocker begins encrypting documents which are in any of these formats:
File types encrypted by Cryptolocker (3502 downloads)
. An AES key is generated for each file to be encrypted, the file is then AES-encrypted and the AES key is itself encrypted using the public key. The encrypted AES key is then appended to the encrypted file.

The paths to the documents are stored in

HKEY_CURRENT_USER\Software\Cryptolocker\Files\

with DWORD values with this type of name

C:?DIR?SUBDIR?SUBDIR?readme.doc

Meanwhile, a variety of messages and instructions are being displayed:

Payment of the ransom can generally be performed in Bitcoins, although some Cryptolocker variants also accept payment methods Ukash, CashU or, only in the US of A, in MoneyPack prepaid cards which can only be bought with cash. All these payment methods are practically anonymous.

Once the victim pays the ransom, the transaction ID must be entered and purportedly verifications ensue. If a private key is sent by the server, it is added to the registry and the decryption process begins. If any encrypted files are inaccessible, they are moved to the end of the decryption queue after an Error dialog is prompted, telling the victim

<<Failed to decrypt a previously encrypted file {FILE_PATH} Perhaps the file may be damaged or used by another process>>

with <<Retry>> and <<Cancel>> buttons provided. The victims are instructed that

“If part of the files had not been decrypted – move them to the desktop and click Retry button”.

When decryption ends, the Cryptolocker files are deleted, but the registry entries are kept. Bitdefender software detects and blocks Cryptolocker from installing, so Bitdefender customers are protected.

For hardy souls who still don’t believe in total security, a Cryptolocker-blocking tool is available here.

About the author

Razvan STOICA

Razvan Stoica is a journalist turned teacher turned publicist and technology evangelist. When Bitdefender isn't paying him to bring complex subjects to wide audiences, he enjoys writing fiction, skiing and biking. Razvan Stoica started off writing for a science monthly and was the chief editor of a science fiction magazine for a short while before moving on to the University of Medicine in Bucharest where he lectured on the English language. Recruited by Bitdefender in 2004 to add zest to the company's online presence, he has fulfilled a bevy of roles within the company since. In his current position, he is primarily responsible for the communications and community-building efforts of the Bitdefender research and technology development arm.

48 Comments

if the malware start to crypt data ONLY AFTER that wallpaper is show to user, this can be consider a little “bug”, if user shut down computer when see that wallpaper and boot pc from a av-rescue cd, theoretical he can remove malware with a minim of data looses
crypto take time, if he close pc fast this malware will not have enough time to crypt lots of files

Hey my company just nearly avoided roughly 4000 computers being touched by this bug through our email server we haven’t found an infection but when we do is there a real solution other then bruteforce? im a private paying customer right now and they are considerably worried about this the IT guys are getting on my nerves

Hello Bitdefender I would like to know how this tool works? i enable immunization and then reboot OK but i want to know something about the settings ? I have to run when windows starts On? or if i just enable immunization my pc is protected? maybe the option run when windows starts is for updates

Also, you need to enable from Settings to run at start-up in order to protect and daily update the blocking of Crytolocker. The Immunization uses one more heuristic and behavior layer of protection, being optional.

[…] Bitdefender Labs offer a CryptoLocker-blocking tool (exe), but otherwise people with infected systems are given three days to pay up; it costs two Bitcoins for their encrypted files to be decrypted. Across the board, security experts say don’t pay. […]

After installation of this tool on an XP machine a file labeled as BDDropper.exe gets installed here: C:\Documents and Settings\user\Local Settings\Temp\BDDocUnifiedLauncher\x86\BDDropper.exe IS THIS OKAY?

something interesting:
this malware identify files after extension not file type fingerprints, so:
if you change file.doc to file.word and associate “.word” extension with MOfficeWord, you can open/view/save that file, but malware will not find/crypt it :))

Hi,
How about giving a few explanations about the function of each of the 4 switches in the “general settings’, so we decide what we wish to put “on” or leave “off” ?
My version is : 1,0,5,1.
I also have Bitdefender Total Security installed on my computer.
Thanks

I have seen reports from people paying off the hackers/hijackers/whatever you want to call them. They do decrypt the data at a rate of 4-8 hours per Gigabyte of data. Pretty darn slow if you ask me. They still wiped their systems after that to ensure it didn’t come back. You might as well pay to have a good backup strategy in place because you’ll pay a lot more in time and effort to decrypt it and ensuring it doesn’t come back.

And for those that missed it. You don’t need this tool if you already have an updated and active version of BitDefender installed. That is according to this article.

You are absolutely correct a decent off-site back-up will do the trick. You have to make sure that it allows for “Versioning” so that if your encrypted files get backed up…you can go back to an earlier version. I use a great service that allows to go back to the prior 30 versions. It has saved my bacon several times.

My wife’s PC is protected by bit defender but Cryptolocker has scrambled her entire document library. Fortunately, most is backed up to dropbox and they have managed to restore previous versions. However there are also a large number synced to Sharepoint libraries and these seem to be completely trashed.
BE AWARE THAT BITDEFENDER HAS NOT PROTECTED THESE FILES – If you use share point ensure versioning is turned on.

I’d like to do this install on a few machines I manage via silent install. I’ve written a VBScript that will do that successfully, but in the settings, The Run when Windows starts, Minimize to tray on startup, Minimize to tray on close button, are turned off. I would like to add whatever registry settings are necessary to the VBScript to turn them on by default so there is no user interaction necessary. Is this possible? My VB script follows:
Set objFSO = CreateObject(“Scripting.FileSystemObject”)
If objFSO.FileExists(“C:\Program Files\BDAntiCryptoLocker\BDAntiCryptoLocker.exe”) Then
Wscript.Quit
if objFSO.FileExists(“C:\Program Files (x86)\BDAntiCryptoLocker\BDAntiCryptoLocker.exe”) Then
Wscript.Quit
Else
Set WSHShell = WScript.CreateObject(“WScript.Shell”)
strApp = ” /q”
WSHShell.Exec(strApp)
End if

[…] about Cryptolocker and its ”cool aspect of encrypting all the data.” The ransomware, which Bitdefender has technically documented since 2013, made headlines this year after infecting the systems of over half a million […]

I was infected by Crypto locker 3.0 last night. It encrypted most but not all my documents. I rebooted to safe mode and ran bitdefender CD. No threats detected. This morning I updated and ran malware bytes again. THis time some threats were detected and quaranteened. No more threats detected. My PC has multiple drives for media and all have been scanned. Is there anything else I can do to be sure this virus is removed?

I too had Total Security on my computer. I had a secondary user profile on Windows. While a friend of mine was using the Laptop he somehow picked up this malware. It chewed through 22gb of data in a week and it encrypted a large percentage of my files. I have most of the drive backed up but this pisses me off. What can be done? I refuse to pay a ransom. My next message will be to the FBI.

Another type of bitcoin-related malware is ransomware . One program called CryptoLocker , typically spread through legitimate-looking email attachments, encrypts the hard drive of an infected computer, then displays a countdown timer and demands a ransom, usually two bitcoins, to decrypt it.